Solved: Re: Full-Tunnel Site-to-site VPN

Zac576 · ‎08-30-2021

Hi all:

I want to configure a site-to-site vpn between two C1100 series routers. I know how to do a split-tunnel configuration, but I'm wondering what I would do differently for a full-tunnel? Say I have Site A and Site B. Both sites have internet, but I want to funnel all traffic from Site A to Site B so that internet traffic comes out of only Site B.

Say the local subnets are 192.168.1.0/24 for Site A and 192.168.2.0/24 for Site B. I am thinking that I would have my ACLs (to identify 'interesting' traffic for the VPNs) would look something like this:

Site A:

ip access-list extended Site_A_VPN_ACL

permit 192.168.1.0 0.0.0.255 any

Site B:

ip access-list extended Site_B_VPN_ACL

permit 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

Would this work? I'm having a hard time finding a config guide for what I'm trying to do. I'm finding only guides that result in a split-tunnel configuration.

Rob Ingram · ‎08-30-2021

@Zac576

Your crypto ACLs would need to mirror each other, so you'd need "any" on the Site B ACL, otherwise you'll have a mismatch and you'll be unable to tunnel the internet traffic over the VPN.

View solution in original post

Rob Ingram · ‎08-30-2021

@Zac576

Your crypto ACLs would need to mirror each other, so you'd need "any" on the Site B ACL, otherwise you'll have a mismatch and you'll be unable to tunnel the internet traffic over the VPN.

Zac576 · ‎08-30-2021

So would the ACL at Site B have to look like this:

ip access-list extended Site_B_VPN_ACL

permit ip any 192.168.1.0 0.0.0.255

Zac576 · ‎08-30-2021

I did a bit more reading and I'm starting to wonder if I'm taking the right approach to this. I saw a note in this document (https://www.cisco.com/c/en/us/td/docs/security/vpn_modules/6342/vpn_cg/6342site3.html) that recommends against using the 'any' keyword.

"We recommend that you configure "mirror image" crypto access lists for use by IPSec and that you avoid using the any keyword."

Also, all the guides I see are creating ACLs to encrypt only the LAN subnets on each router. Is split-tunnel the only option when using IPSEC tunnels?

Rob Ingram · ‎08-30-2021

@Zac576 If you want to route internet over a VPN using a policy based VPN (crypto map) you'd have to use "any".

Alternatively use a route based VPN, assign the outside/internet facing interface in a dedicted VRF with a default route via the ISP next hop....to establish the VPN tunnel. Then the inside interface and tunnel interfaces can remain in the global or another vrf, from there you can advertise a default route over the VPN tunnel.

Zac576 · ‎08-30-2021

Ok, I'll give it a go in my lab. I'll fix my ACLs so they look like this:

Site A:

ip access-list extended Site_A_VPN_ACL

permit ip 192.168.1.0 0.0.0.255 any

Site B:

ip access-list extended Site_B_VPN_ACL

permit ip any 192.168.1.0 0.0.0.255

But in addition to this, I'm guessing that I'll have to add the 192.168.1.0/24 network to the NAT ACL on the router for Site B. Is that correct?

Rob Ingram · ‎08-30-2021

@Zac576

Yes, you'll need NAT configured on SiteB's router for that Site A network 192.168.1.0/24 to access the internet.

Zac576 · ‎08-30-2021

So I added 192.168.1.0/24 to the NAT ACL on Router-B, but I still can't ping google's dns (8.8.8.8). I'll attach my configs to this email. The routers in my lab are 2900 series routers running 15.4. I trimmed out stuff that isn't relevant and replaced Router-A and Router-B's public ip with 1.1.1.1 and 2.2.2.2 respectively.

From Router-A, I can ping 192.168.4.1 when sourced with 192.168.1.1 (interface loopback0), and 192.168.4.1 can ping back.

When I run 'ping 8.8.8.8 source lo0' from Router-A I can see the #pkts decaps, decrypt, and verify counters increment on the ipsec security association on Route-B. That makes me think that the packets are going through the IPsec tunnel and leads me to think that something on Router-B isn't correct. No NAT sessions are created, but I added the 192.168.1.0/24 subnet to the NAT ACL. There is no NAT config on Router-A.

MHM Cisco World · ‎08-31-2021

policy ACL

permit x.x.x.x any ?

any meaning if you send packet to 8.8.8.8 DNS it also will encrypt and pass through IPSec,

you need

permit x.x.x.x y.y.y.y

try this.

Zac576 · ‎08-31-2021

But I want that traffic to pass through the IPSec tunnel and go out the other router. I realize that part the problem is a lack of understanding on my part. From what I understand, the ACL identifies traffic to be passed through the IPSec tunnel. I want all traffic from the 192.168.1.0/24 subnet to pass through the tunnel and that's why there's an 'any' in that ACL. If my reasoning isn't right please let me know.

MHM Cisco World · ‎09-03-2021

OK, you are right ALL traffic will pass if you config policy ACL any.

but instead of ping 8.8.8.8 please config loopback Router-B and try again.

NOTE:- be sure that loopback is reachable from Router-A

MHM Cisco World · ‎08-30-2021

Split-tunnel
if match policy ACL then encrypt, BUT here the new packet have two IP header, One is the original which is encrypt via ESP and outer IP header is the IP address of the interface "under which the crypto map is config" and the destination is IPSec IP peer.
if not then not encrypt.

if not match policy ACL then will not encrypt, here there is only one IP header, So you must be sure the IP destination is reachable otherwise you need NAT.